CVE-2026-31727 Overview
CVE-2026-31727 is a NULL pointer dereference vulnerability in the Linux kernel's USB gadget Ethernet driver (u_ether). The flaw resides in the eth_get_drvinfo() function within the USB gadget subsystem. A prior commit (ec35c1969650) reparents the gadget device to /sys/devices/virtual during unbind, which clears the gadget pointer. If a userspace tool queries the surviving network interface during this detached window, the kernel dereferences a NULL pointer and crashes. The vulnerability is tracked under [CWE-476] (NULL Pointer Dereference) and affects local users with low privileges on systems using USB gadget networking modules such as f_ncm.
Critical Impact
A local user can trigger a kernel NULL pointer dereference by issuing an ethtool query against a USB gadget network interface during unbind, resulting in a kernel crash and denial of service.
Affected Products
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Linux Kernel stable branches containing commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move")
- Systems using the u_ether USB gadget driver with NCM or related function drivers
Discovery Timeline
- 2026-05-01 - CVE-2026-31727 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31727
Vulnerability Analysis
The vulnerability resides in drivers/usb/gadget/function/u_ether.c, specifically in the eth_get_drvinfo() callback exposed to the ethtool subsystem. The function reads dev->gadget and dereferences it to populate the fw_version and bus_info fields returned to userspace ethtool consumers.
When a USB gadget function such as f_ncm is unbound, commit ec35c1969650 reparents the underlying gadget device to /sys/devices/virtual and clears the gadget pointer on the network device. The network interface itself remains visible to userspace during this transitional window. A concurrent ethtool ioctl on the surviving interface reaches eth_get_drvinfo(), which dereferences the now-NULL dev->gadget, producing the kernel oops shown in the call trace: eth_get_drvinfo+0x50/0x90 → ethtool_get_drvinfo+0x5c/0x1f0 → __dev_ethtool+0xaec/0x1fe0 → dev_ioctl+0x338/0x560.
Root Cause
The root cause is a missing NULL check on dev->gadget inside eth_get_drvinfo(). The original code assumed the gadget pointer remains valid for the lifetime of the network device. The lifecycle change introduced by device_move broke that assumption by clearing the pointer while the netdev is still reachable from userspace.
Attack Vector
Exploitation requires local access with permission to invoke ethtool ioctls. An attacker triggers an unbind of a USB gadget configuration (or waits for one to occur) and races an ethtool -i <iface> query against the surviving interface. The race window opens once the gadget pointer is cleared but before the netdev is fully unregistered, leading to a kernel panic and denial of service on the affected host.
No verified public proof-of-concept code is available. See the upstream commits referenced in the Kernel Git Commit a36e5e8 for the technical fix details.
Detection Methods for CVE-2026-31727
Indicators of Compromise
- Kernel oops messages referencing eth_get_drvinfo+0x50/0x90 in dmesg or /var/log/kern.log
- Call trace entries showing ethtool_get_drvinfo followed by __dev_ethtool and dev_ioctl
- Unexpected system crashes or hangs correlated with USB gadget unbind events or configfs operations on /sys/kernel/config/usb_gadget/
Detection Strategies
- Monitor kernel ring buffer for Unable to handle kernel NULL pointer dereference messages tied to USB gadget interfaces
- Audit ethtool invocations against gadget-backed network interfaces during configuration changes using auditd rules on the ioctl syscall
- Track loading and unbinding of u_ether, f_ncm, f_ecm, and related gadget modules through kernel_module audit events
Monitoring Recommendations
- Collect kernel crash dumps with kdump and forward stack traces to a centralized logging platform for triage
- Alert on repeated USB gadget bind/unbind sequences originating from non-administrative user contexts
- Correlate netdev lifecycle events with concurrent ethtool queries to identify race attempts
How to Mitigate CVE-2026-31727
Immediate Actions Required
- Apply the upstream kernel patches referenced in the vendor advisories to all affected hosts running Linux 7.0-rc1 through 7.0-rc6
- Restrict local access to systems exposing USB gadget networking, particularly embedded and developer devices
- Limit CAP_NET_ADMIN and direct ioctl access on gadget-backed interfaces to trusted administrative accounts
Patch Information
The fix adds a NULL check for dev->gadget in eth_get_drvinfo(). When the gadget is detached, the function skips copying the fw_version and bus_info strings, relying on ethtool_get_drvinfo to handle empty strings natively. The patches are available in the following stable kernel commits: Kernel Git Commit 0326429, Kernel Git Commit 7de4d46, Kernel Git Commit a36e5e8, and Kernel Git Commit e002e92.
Workarounds
- Unload the u_ether and dependent gadget function modules (f_ncm, f_ecm) on systems that do not require USB gadget networking
- Disable USB gadget configfs mounts on production hosts that do not act as USB device endpoints
- Block unprivileged users from issuing ethtool ioctls against gadget-backed interfaces using namespace and capability restrictions
# Configuration example: blacklist USB gadget Ethernet modules where not required
echo "blacklist u_ether" | sudo tee /etc/modprobe.d/blacklist-u_ether.conf
echo "blacklist usb_f_ncm" | sudo tee -a /etc/modprobe.d/blacklist-u_ether.conf
echo "blacklist usb_f_ecm" | sudo tee -a /etc/modprobe.d/blacklist-u_ether.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
